Solved

Sonicwall Pro 4060 xAuth

Posted on 2012-03-16
6
1,022 Views
Last Modified: 2012-08-17
Good Morning,

I have set up our new Sonicwall Pro 4060 and all is fine except that Global VPN users can't log in if I use xauth. If i set it for "allow unauthenticated users" then users can connect, but I need to have it working with xauth. At this point, I don't see why xauth is not working.



Please help.

Helmut K
0
Comment
Question by:HELMUTHK
  • 3
  • 2
6 Comments
 
LVL 11

Expert Comment

by:Khandakar Ashfaqur Rahman
ID: 37731515
0
 

Author Comment

by:HELMUTHK
ID: 37743403
Thanks for the info, but this does not resolve my problem.

Here is more information on setup and config:

I am logging in from Windows XP machine with sonicwall client. Also tried the login from a windows 7 system, with the latest Sonicwall Global VPN client. Same results. OK if  set it for "allow unauthenticated users", but does not accept user ID/Password when set to use  xauth on the Pro 4060.

Here is my config from the 4060:
General tab
Wan Group VPN
IKE using preshared secret

Proposals phase1
DH group = Group2
ENC = 3des
Auth = SHA1
Lifetime = 28800

Proposals phase2
Protocol = ESP
ENC = 3DES
Auth = MD5

Enable perfect forward secrecy = yes
DH group = Group2
lifetime = 28800

Advanced Tab
Management via this sa = https

when set for xauth: User Group for XAUTH = Trusted Users.
I also created a new group called Global VPN Users, added the users/mambers to this group, VPN access to LAN subnets. Wont allow user\password to connect.

When set for "allow Unauthenticated VPN client access" = LAN Subnets, connects properly.

Client Tab
Allow connections to = This Gateway Only


Thanks,

Helmut K
0
 
LVL 3

Expert Comment

by:Konsultant
ID: 37748677
Hi Helmut,

Can you provide logs from GVC and from the sonicwall. You should see in the logs the reasons why the user was not authenticated. Also, for your testing it may not work when you are connected as admin from the same source IP address. So make sure that when you are testing you are not logged in as Admin at the same time.

Good luck!
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 

Author Comment

by:HELMUTHK
ID: 37748812
Log from 4060:

1 03/21/2012 10:40:12.656 Info Authenticated Access Configuration mode administration session started 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin at GUI from 192.168.0.213  
2 03/21/2012 10:40:12.656 Info Authenticated Access Administrator login allowed 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin, TCP HTTP  
3 03/21/2012 10:39:47.768 Info PPP PPP message: LCP Echo Reply sent        
4 03/21/2012 10:39:47.768 Info PPP PPP message: LCP Echo Request Received        
5 03/21/2012 10:39:47.768 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF9 state=9        
6 03/21/2012 10:39:26.608 Alert Intrusion Prevention Probable port scan detected 173.194.33.40, 80, X1 209.53.201.211, 49578, X1 TCP scanned port list, 58864, 31332, 28539, 16340, 53586, 32797, 47627, 42182, 6607, 49578  
7 03/21/2012 10:39:11.336 Alert Intrusion Prevention Possible port scan detected 173.194.33.40, 80, X1 209.53.201.211, 45041, X1 TCP scanned port list, 11445, 54875, 45123, 55020, 32341  
8 03/21/2012 10:38:47.656 Info PPP PPP message: LCP Echo Reply sent        
9 03/21/2012 10:38:47.656 Info PPP PPP message: LCP Echo Request Received        
10 03/21/2012 10:38:47.656 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF8 state=9        
11 03/21/2012 10:38:41.240 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (HELMUTK) 209.53.201.211 HELMUTK  
12 03/21/2012 10:38:41.240 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 HELMUTK, TCP Port: 0  
13 03/21/2012 10:38:41.064 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (HELMUTK) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
14 03/21/2012 10:38:40.816 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (HELMUTK) 209.53.201.211, 500    
15 03/21/2012 10:38:38.656 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (HELMUTK) 209.53.201.211 HELMUTK  
16 03/21/2012 10:38:38.656 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 HELMUTK, TCP Port: 0  
17 03/21/2012 10:38:38.416 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
18 03/21/2012 10:38:38.144 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500    
19 03/21/2012 10:38:25.304 Info VPN IKE Received IKE SA delete request 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN  
20 03/21/2012 10:38:25.144 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
21 03/21/2012 10:38:24.880 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500    
22 03/21/2012 10:38:12.784 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (helmutk) 209.53.201.211 helmutk  
23 03/21/2012 10:38:12.784 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 helmutk, TCP Port: 0  
24 03/21/2012 10:38:12.640 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
25 03/21/2012 10:38:12.416 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500    
26 03/21/2012 10:38:08.064 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (helmutk) 209.53.201.211 helmutk  
27 03/21/2012 10:38:08.064 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 helmutk, TCP Port: 0  
28 03/21/2012 10:38:08.016 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
29 03/21/2012 10:38:07.896 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 209.53.201.211, 500    
30 03/21/2012 10:37:57.704 Info VPN IKE Received IKE SA delete request 209.53.201.213, 500 209.53.201.211, 500 VPN Policy: WAN GroupVPN  
31 03/21/2012 10:37:57.608 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
32 03/21/2012 10:37:57.608 Info VPN IKE NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device      
33 03/21/2012 10:37:57.496 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 209.53.201.211, 500    
34 03/21/2012 10:37:47.576 Info PPP PPP message: LCP Echo Reply sent        
35 03/21/2012 10:37:47.576 Info PPP PPP message: LCP Echo Request Received        
36 03/21/2012 10:37:47.576 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF7 state=9        
37 03/21/2012 10:37:44.144 Info Authenticated Access GUI administration session ended 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin  
38 03/21/2012 10:37:44.144 Info Authenticated Access Configuration mode administration session ended 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin at GUI from 192.168.0.213  
39 03/21/2012 10:37:44.144 Info Authenticated Access Administrator logged out 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 User logged out  
40 03/21/2012 10:36:47.464 Info PPP PPP message: LCP Echo Reply sent        
41 03/21/2012 10:36:47.464 Info PPP PPP message: LCP Echo Request Received        
42 03/21/2012 10:36:47.464 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF6 state=9        
43 03/21/2012 10:35:47.352 Info PPP PPP message: LCP Echo Reply sent        
44 03/21/2012 10:35:47.352 Info PPP PPP message: LCP Echo Request Received        
45 03/21/2012 10:35:47.352 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF5 state=9        
46 03/21/2012 10:34:36.592 Info Authenticated Access Configuration mode administration session started 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin at GUI from 192.168.0.213  
47 03/21/2012 10:34:36.592 Info Authenticated Access Administrator login allowed 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin, TCP HTTP  
48 03/21/2012 10:33:47.176 Info PPP PPP message: LCP Echo Reply sent        
49 03/21/2012 10:33:47.176 Info PPP PPP message: LCP Echo Request Received        
50 03/21/2012 10:33:47.176 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF3 state=9        


Log from laptop:

Shows "user authentication has failed"


It must be something quite simple. such as spelling or caps, etc, but I don't see it, and I have checked the configuration many times. I guess I will have to go over it all again.

Regards,

helmut K.
0
 

Author Comment

by:HELMUTHK
ID: 37749472
Hello All,

I resolved the problem. The user ID is case sensitivr as well as the password.

Problem Fixed.

Thanks to those who tried to help.

Helmut K.
0
 
LVL 3

Accepted Solution

by:
Konsultant earned 500 total points
ID: 37749629
Yes it is... It never crossed my mind that you would use different capitalization.
Good luck!

P.S. I had problem in past testing GVC from the same network as WAN interface. I am not sure if this is valid today.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
EIGRP STUB 19 85
SIP / Streaming - real time communications testing 8 92
Automated backups of ASA's and Nexus (5k and 7K) 24 91
Cisco ASA 3 34
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question